Challenge window from ADFS when on the corporate network

Question

I just read the article here: http://www.asp.net/aspnet/overview/developing-apps-with-windows-azure/building-real-world-cloud-apps-with-windows-azure/single-sign-on

I have just finished building an app that can authenticate users via WAAD, or via a local installation of ADFS on their corporate network (configuration point allows them to select one or the other).

The app will be hosted in Azure. Can someone tell me if it is possible for users who are on their corporate network to login to this Azure app WITHOUT entering their credentials?

Here is the flow:

1. user navigates to the cloud app
2. FAM detects they aren't authenticated, and redirects the browser to their ADFS server on the corporate network
3. ADFS server replies with 401 challenge (I assume this is what's happening)
4. user sees a user name/password box, and enters in credentials
5. user is redirected back to the cloud app with a token containing their claims

I don't understand why #4 is required if the user is already on their corporate network. Shouldn't ADFS use Windows Authentication here so they don't have to enter their password? Is there a way to configure ADFS to do this?

Thank you!

Answer 1

This can be accomplished by adding the Url of the ADFS endpoint to the local intranet or trusted sites of Internet Explorer. By default Internet Explorer will pass in the Windows credentials to sites in those two groups. If that doesn't work, you would have to double check that setting hasn't been modified.